Monday, November 12, 2012

[CTF] cscamp quals: web200


We are required to provide the solution of an equation. Looking around for this "equation", we check the HTTP response headers and find:
kroosec@dojo:~$ curl -i http://176.9.193.13/ASmallCalculationChal411A784Y.php
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2012 02:51:03 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.18
Set-Cookie: x0x=g2jiqbg2ebeol7qn1h9j0ljd24; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
EQ: YXJyYXkgKAogIDAgPT4gMTk1MDM0Njk5MiwKICAxID0+ICcqJywKICAyID0+IDM3NTI5MjE3NywKICAzID0+ICdeJywKICA0ID0+IDc4ODU4ODMyNCwKICA1ID0+ICcrJywKICA2ID0+IDgxNDA1MTc2MCwKICA3ID0+ICctJywKICA4ID0+IDEzNTc3MTM2MzcsCik=
Vary: Accept-Encoding
Content-Length: 189
Content-Type: text/html

<!-- what are you looking for here ? -->
<title>some thing </title>
<form method="POST">
    Enter The Result of the equation :
    <input name="result" >
    <input type="submit">
</form>
The content of the EQ (equation!) header is base64 encoded. Decoding it get:
kroosec@dojo:~/notes/cscamp$ echo -n "YXJyYXkgKAogIDAgPT4gMTk1MDM0Njk5MiwKICAxID0+ICcqJywKICAyID0+IDM3NTI5MjE3NywKICAzID0+ICdeJywKICA0ID0+IDc4ODU4ODMyNCwKICA1ID0+ICcrJywKICA2ID0+IDgxNDA1MTc2MCwKICA3ID0+ICctJywKICA4ID0+IDEzNTc3MTM2MzcsCik=" | base64 -d
array (
  0 => 1950346992,
  1 => '*',
  2 => 375292177,
  3 => '^',
  4 => 788588324,
  5 => '+',
  6 => 814051760,
  7 => '-',
  8 => 1357713637,
)
The content changes for every HTTP response, and we have to provide a result in less than 2 seconds. Here is a quick python script to get the HTTP request, decode the EQ header content, eval the equation and post back the result using the same cookie that we got from the first response (which is used to track that the result came in less than 2 seconds.)
import requests
import os
response = requests.get("http://176.9.193.13/ASmallCalculationChal411A784Y.php")
cookies = dict(x0x = response.cookies['x0x'])
eqhdr = response.headers['eq'].decode('base64')
equation = ""
for line in eqhdr.split(',')[:-1]:
    equation += line.split()[-1].strip("'")
result = os.popen("php -r 'echo "+equation+";'").read()
result = requests.post("http://176.9.193.13/ASmallCalculationChal411A784Y.php",
        data="result="+str(result), cookies=cookies)
print result.content
kroosec@dojo:~$ python pwn-web200.py
your key is : 94b85aae697641c8732c9136603e0cf5
As a side note, I spent a couple of minutes wondering why the server kept on saying that the provided result was wrong. That was because I was initially evaluating the equation in Python directly, not passing it to the php interpreter, so I was ending up with results such as 3870519785 (python)  3870519784 (php) so that is something to keep track of.

No comments:

Post a Comment